Texas-based Exodus Intelligence believed India used its โzero-dayโ, security vulnerabilities that hackers can use to attack systems, to spy on Pakistan and China, according to a report published in Forbes
Exodus CEO and co-founder Logan Brown said that, after an investigation, he believes India handpicked one of the Windows vulnerabilities from the feedโallowing deep access to Microsoftโs operating systemโand Indian government personnel or a contractor adapted it for malicious means.
Earlier this year, researchers at Russian cybersecurity firm Kaspersky witnessed a cyber espionage campaign targeting Microsoft Windows PCs at government and telecom entities in China and Pakistan. They began in June 2020 and continued through to April 2021.
Exodus Intelligence stops selling new zero-day research to India
The Exodus CEO maintained that India was subsequently cut off from buying new zero-day research from his company in April and it has worked with Microsoft to patch the vulnerabilities.
The Indian use of his companyโs research was beyond the pale, though Exodus doesnโt limit what customers do with its findings, Brown said, adding, โYou can use it offensively if you want, but not if youโre going to be . . . shotgun blasting Pakistan and China. I don’t want any part of that.โ (The Indian embassy in London hadnโt responded to requests for comment.)
The US company also looked at a second vulnerability Kaspersky had attributed to Moses, another flaw that allowed a hacker to get higher privileges on a Windows computer. It was not linked to any particular espionage campaign, but Brown confirmed it was one of his companyโs, adding that it would โmake senseโ that India or one of its contractors had weaponised that vulnerability, too.
Beyond the two zero days already abused, according to Kaspersky, โat least six vulnerabilitiesโ made by Moses have made it out โinto the wildโ in the last two years. Also according to Kaspersky, another hacking crew known as DarkHotelโbelieved by some cybersecurity researchers to be sponsored by South Koreaโhas used Mosesโ zero days. South Korea is not a customer of Exodus.
‘India leaks some of our research’
โWe are pretty sure India leaked some of our research,โ Brown said. โWe cut them off and havenโt heard anything since then . . . so the assumption is that we were correct.โ
Exodus, when asked by Five Eyes countries (an alliance of intelligence-sharing countries that includes the U.S., U.K., Canada, Australia, and New Zealand) or their allies, will provide both information on a zero-day vulnerability and the software required to exploit it. But its main product is akin to a Facebook news feed of software vulnerabilities, sans exploits, for up to $250,000 a year.
Luca Todesco, an Italian zero-day developer and a Forbes 30 Under 30 alum, tweeted last year about โthe worst outcome I could see from doing my line of workโ after seeing iPhone hacks used for surveillance of the Uyghur community, a minority persecuted by the Chinese government.
In direct messages over Twitter, Todesco denied that heโd ever sold any code that ended up in the attacks, but said heโd been openly sharing his findings with multiple, unnamed individuals. He claimed he didnโt know how or why his code ended up being used in attacks on the Uighur community, but added, โI would have avoided sharing had I known.โ He continues to develop exploits as part of a new Italian company he cofounded, Dataflow Security.
That kind of abuse is what Aaron Portnoy, a 36-year-old former executive and cofounder of Exodus with Brown, has worried about of late.
โIt’s almost like I was being taken advantage of . . . It felt very much like I was a tool that was being used for a bigger purpose that I really had no insight into,โ says Portnoy, now plying his trade at Randori, a Massachusetts-based cybersecurity firm. โI donโt know that I would trust any given administration to be making all the choices that I would make.โ
But Exodus was right to cut off India, says Moussouris, and more onus should be on the buyers when it comes to preventing abuse. Brown says heโs only ever had to cut off one other customer, a French police agency, after an Exodus hack it used to target dark web child predators was exposed. โAnytime our data becomes accessible to the public, especially malicious actors, it is a breach of contract,โ Brown adds.
Pedram Amini, an Exodus advisor and founder of the Zero Day Initiative, where Brown, Portnoy and another Exodus cofounder once worked, says the companyโs record of cutting ties with just two customers over a decade is impressive. Amini adds that heโs happy with โthe tightrope Exodus was walkingโ when vetting customers. โI would not be involved in this company at all if we were, for example, working with the Saudis.โ
Knowing that its zero days can be used offensively, Brownโs company could have chosen not to sell to India, a country thatโs been accused of abuse of spyware in recent revelations about global use of tools made by Israelโs $1 billion-valued NSO Group.
